CYBERNEWSMEDIA Network:||
CYBERNEWSMEDIA
CYBERNEWSMEDIA

Cybersecurity News, Insights & Analysis

Latest
TrueConf Zero-Day Exploited in Asian Government Attacks
In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware
Critical ShareFile Flaws Lead to Unauthenticated RCE
Mobile Attack Surface Expands as Enterprises Lose Control
React2Shell Exploited in Large-Scale Credential Harvesting Campaign
AD · 970×250

Vulnerabilities

Second Wave of Attacks Hitting SAP NetWeaver After Zero-Day Compromise

Threat actors are revisiting SAP NetWeaver instances to leverage webshells deployed via a recent zero-day vulnerability. The post Second Wave of Attacks Hitting SAP NetWeaver After Zero-Day Compromise appeared first on SecurityWeek.

SAP vulnerabilities

Threat actors have been observed launching a second wave of attacks against SAP NetWeaver instances that were compromised via a recent zero-day vulnerability, enterprise application security firm Onapsis warns.

The zero-day, tracked as CVE-2025-31324 (CVSS score of 10/10), was disclosed on April 24, after SAP updated its April 2025 Security Patch Day bulletin to add a fresh note addressing it.

In-the-wild exploitation of the bug was observed by cybersecurity firm ReliaQuest on systems that had the latest patches installed and was associated with initial access brokers. According to Mandiant, the flaw had been exploited since at least mid-March 2025.

SAP, which describes the security defect as a missing authorization check in NetWeaver’s Visual Composer development server, confirmed that it was exploited to upload malicious files to specific paths on vulnerable servers.

Threat actors have been targeting vulnerable NetWeaver instances to deploy JSP webshells in a root directory, which has allowed them to deploy additional payloads, execute code, and move laterally in the affected environments.

On Monday, Onapsis warned that it was “seeing a second wave of attacks staged by follow-on, opportunistic threat actors who are leveraging previously established webshells (from the first zero-day attack) on vulnerable systems.”

In collaboration with Mandiant, Onapsis on Friday released an open source scanner to help organizations hunt for indicators of compromise (IoCs) associated with CVE-2025-31324’s exploitation.

The tool can identify vulnerable systems, find IoCs, search for unknown web-executable files in known directories, and collect the suspicious files for future analysis.

As more webshells deployed as part of the widespread exploitation have been identified, the cybersecurity firm on May 5 updated a YARA rule released last week to help organizations identify positive webshell access.

According to data from the nonprofit cybersecurity organization The Shadowserver Foundation, more than 200 internet-accessible NetWeaver instances remain vulnerable to CVE-2025-31324.

The number has nearly halved from April 28, when more than 400 servers were vulnerable, despite a sharp increase to over 3,400 observed before May 1.

The US cybersecurity agency CISA added CVE-2025-31324 to its Known Exploited Vulnerabilities (KEV) catalog on April 29, urging federal agencies to patch it by May 20.

Related: Exploited Vulnerability Exposes Over 400 SAP NetWeaver Servers to Attacks

Related: SAP Patches Critical Code Injection Vulnerabilities

Related: Samsung MagicINFO Vulnerability Exploited Days After PoC Publication

Related: Critical Vulnerability in AI Builder Langflow Under Attack

Latest News

CYBERNEWSMEDIAPublisher